Support Center > Search Results > SecureKnowledge Details
Check Point R77.20.xx for 600 / 700 / 1100 / 1200R / 1400 / 910 Appliance Features and Known Limitations Technical Level

This article lists the unsupported/supported features and known limitations of Check Point R77.20 for 600 / 700 / 1100 / 1200R / 1400 Appliances. 

  • Supported and Unsupported Features
  • Known Limitations

This is a live document that may be updated without special notice. We recommend registering to our weekly updates in order to stay up to date. To register go to UserCenter > ASSETS / INFO > My Subscriptions.

For more information, see the Check Point 600, Check Point 700, Check Point 1100, Check Point 1200R and Check Point 1400 Appliance Product Pages.

Visit Check Point CheckMates Community and the SMB Forum to ask questions or start a discussion and get our experts assistance.

Important Note: Embedded Gaia software inherits its code base from the R77.30 GA version of Enterprise appliances. Therefore, although not specifically mentioned, the R77.20 SMB gateways inherit all maintrain limitations (see sk122486).

Supported and Unsupported Features

Enter the string to filter the below table:

Blade / Feature Locally
Platforms Comments
Software Blades
Firewall Yes Yes All  
IPS Blade Yes Yes All Strict mode is not recommended on 600/1100 appliances.
IPSec VPN Blade Yes Yes All  
Anti-Bot Blade Yes Yes All  
Anti-Virus Blade Yes Yes All  
Traditional Anti-Virus Blade Yes Yes All  
Threat Emulation Blade Yes Yes 700/1200R/1400 R77.20.51 and higher
Cloud Threat Emulation or remote Emulation in private Sandblast appliance.
Refer to sk114815.
Threat Extraction Blade (sk101553) No No N/A  
Anti-Spam and Email Security Blade Yes Yes All  
Data Loss Prevention (DLP) Blade No No N/A  
Application Control Blade Yes Yes All  
URL Filtering Blade Yes Yes All  
Content Awareness No No N/A  
Identity Awareness Blade Yes Yes All  
Monitoring Blade No No N/A Other monitoring solutions are available.
Mobile Access Blade Partial Partial All
  •   Remote access clients are supported (Endpoint, SNX). 
  • Mobile Access Web Portal is not supported.
QoS Yes Yes All  
Compliance Blade No No N/A  
HTTPS Inspection Yes Yes 700/1400/1200R

Centrally managed appliances: supported on 1100/1400/1200R appliances since R77.20

Locally managed appliances: supported on 700/1400/1200R appliances since R77.20.70
Refer to sk121214.

Inbound HTTPS Inspection No Yes  1400/1200R  Centrally managed appliances: supported on 1400/1200R appliances since R77.20 
Geo Protection No No N/A  
Global Features
Network Address Translation (NAT) Yes Yes All  
SecureXL Yes Yes All  
CoreXL Yes Yes 750/770/790/450/1470/1490  
Dynamic Routing Yes Yes All  
Policy Based Routing (PBR) Partial Partial All Support for source and service based routing.
SNMP Yes Yes All  
DHCP Client Yes Yes All For external interfaces
DHCP Relay Yes Yes All For internal interfaces
DHCP Server Yes Yes All For internal interfaces
NTP Client Yes Yes All  
NTP Server No No N/A  
Jumbo Frames No No N/A  
Rule Hit Count No No N/A  
UserCheck Yes Yes All UserCheck client is not supported.
Local management web Portal Yes Yes All  
IPv6 Yes Yes 700/1400/1200R Since R77.20.60.
Refer to sk118816.
VRRP No No N/A  
VPN Link Selection Yes Yes All Refer to sk115868.
VPN Service based link selection No Yes 1100/1200R/1400  
VPN VTI Yes Yes All  
Suspicious Activity Monitoring (SAM) Rules No No N/A  
ISP Redundancy Yes Yes All  
SmartUpdate No Yes 1100/1200R/1400  
SmartProvisioning / SmartLSM No Yes 1100/1200R/1400  
Anti-Virus archive scanning No No N/A  
Threat Emulation archive scanning No No N/A  
Mail Transfer Agent (MTA) support for Threat Emulation No No N/A  
Span Port  Yes Yes 700/1400/1200R Since R77.20.40
Monitor Mode Yes Yes All Refer to sk112572.
HTTP/HTTPS proxy No No N/A  
IPS Packet Capture No No N/A  
Traditional VPN mode No No N/A  
Multiple Entry Points (MEP) No Yes 1100/1400/1200R  
Load Sharing Cluster mode No No N/A  
Bond / Link aggregated interface No No Refer to sk114217  
Alias / Secondary IP address No No All  
ThreatCloud IntelliStore No No N/A  
IP Helper No No N/A
Resource Control
CPU monitoring Yes Yes All  
Memory monitoring Yes Yes All  
CPU enforcement No No N/A  
Memory enforcement No No N/A  
"All-IN-One" license Yes Yes All Since R77.20.70
(central license is still not supported)
Gaia Embedded OS Unique Features
DSL Yes Yes 600/1100
Fiber connection Yes Yes 1200R/770 /790/1470/1490  
Wireless 2GHz Yes Yes 600/700/1100/1400
specific models
In 770/790/1470/1490 appliances dual bands are supported.
Wireless 5GHz Yes Yes 700/1400
Specific models
In 770/790/1470/1490 appliances dual bands are supported.
PoE Yes Yes 770/790/1470/1490
specific models
Rapid Deployment with SD-Card / USB Drive Yes Yes All Refer to sk111586.
Hotspot portal Yes Yes All  


Known Limitations

Table of Contents

Firmware and Configuration
SSL Network Extender
Application Control
Online Updates
SSL Inspection
User / Identity Awareness      
SmartView Monitor
Logging and Monitoring      
Hotspot Portal
Dynamic Routing
Active Directory   
Command Line Interface (CLI)      
600 & 1100 Wireless Appliances


Enter the string to filter the below table:

ID Symptoms
Firmware and Configuration
01478059 Locally managed firmware includes the ability to categorize some sites over HTTPS traffic (URLF over HTTPS), but full SSL inspection is not supported. Note that full SSL inspection is supported when the appliance is centrally managed.
  • SSL inspection in locally managed 700/1400/1200R appliances is supported since R77.20.70. Refer to sk121214.
01441874 Gradual deployments are not supported.
01536437 When configuring the First Time Configuration Wizard from the WAN interface you cannot set the SIC One-Time-Password immediately after the FTW. To set it you need to refresh your web browser first. 
02060386 Use of AD Query with NTLMv2 is not supported for Small Office appliances.
01612630  When upgrading a locally managed cluster from R75.20.x to R77.20.x, the secondary cluster is not saved.
  • Workaround: Before upgrading, detach the secondary cluster member and reattach it to the primary member after the upgrade. 
01593822  When upgrading a centrally managed appliance from R75.20.x to R77.20 with SmartUpdate, you must install the Threat Prevention policy after the upgrade because it cannot be prepared before the upgrade. 
01650425 In small office appliances that are connected to a Cloud Services Provider and are part of a community that includes an externally managed gateway, after upgrading from R75.20 to R77.20 it is necessary to remove the gateway from the community and then add it back.
01681962 When upgrading from version R75.20.60 or lower to R77.20, the Anti-Bot license in locally managed appliances is shown as inactive in the WebUI. 
SMB-10781 Incoming firewall rules that were created in version R77.20.85 cannot be cloned after upgrading to R77.20.86.

The "Force Member Down" button does not work in a local cluster configuration when the internet connection interface is set to "Monitored" and the cluster members do not have similar internet connection names.

  • Workaround: Rename the internet connections so that they are the same for both cluster members.
SMB-10843 In internet connection probing mode, all internet-connections on a primary member must be down for a cluster failover to occur. See sk163513

When configuring a cluster and setting DHCP on one of the cluster interfaces, a DHCP server might include the other cluster member's IP address in its available IP addresses range. Therefore, the DHCP server might serve this IP to another computer in the same network which will cause connectivity issues.

  • Workaround: Manually exclude the other cluster member's IP address from the range.
01124242 Before configuring a local cluster, make sure that the sync interface is unassigned by checking the Device -> Local Network page in the WebUI.
01119896 When configuring a cluster, you cannot use a wireless interface as the Sync interface.
- Configuring Bridge/Switch on network interfaces is not supported in Cluster High Availability mode.

Note: Bridge mode cluster is supported on 1200R and 1400 appliances running centrally managed version R77.20.75 and higher. For more details, refer to sk122659.  

01117967 Configuring a Cluster Virtual IP address in a PPP interface is not supported, but the interface can still be monitored by ClusterXL.
01216507  When defining a local cluster with the "Strict" Firewall mode enabled, a manual internal rule must be defined to allow connectivity between the cluster members on the sync interface. 
01615874 When defining a locally managed cluster, the Virtual IP address of a clustered interface has to be in the same subnet as the real IP addresses of the cluster members. 
01618299 In rare cases, during cluster creation or after upgrading a cluster, an "Error 00361" message is shown. This error may indicate a temporarily busy database.
Go to the secondary cluster member, disconnect it from the cluster, and then reconnect it.
01622228 In locally managed small office appliances, after resetting cluster settings it is recommended to wait a few minutes before redefining the cluster to avoid failure. 
01679081 In deployments that use centrally managed appliances, if you use a Threat Prevention rule and the "install on" column includes a cluster object of 1100 or 1200R gateways.
Refer to sk106367
01700435 When an 1100/1200R appliance is centrally managed, the "Use Virtual MAC" checkbox is not shown in ClusterXL -> Advanced settings in SmartDashboard.
To enable it, follow the instructions in sk106581.
01615544 The user cannot configure a locally managed cluster with SMP or an externally managed log server. 
01585228 Following cpstop;cpstart of an HA cluster member that is standby or down, it can take a few minutes for the cpha state to come back up. During this time, the active member is up and running so there is no connectivity loss. 
- Site-to-Site VPN does not work if the connection type of the external interface is "Bridge" and SecureXL is active.
01596260 The drop templates optimization feature is not supported.
01478091 The SecureXL penalty box mechanism is not supported. 
01634877 In 1100 centrally managed appliances, using unnumbered VTIs and OSPF together is not supported when SecureXL is inactive. Note that SecureXL is active by default. 
When multiple internet connections are configured in High Availability mode, and primary connection failover occurs without the main connection going down/restarting, traffic will continue to be routed for the previous primary connection for more than the routing cache lifetime (20 seconds) if the QoS blade is configured.
SMB-12567 Asymmetric-routing is not supported for SNMP traffic.
SMB-11744 Connections are not accelerated in ISP load-balancing mode. Therefore, download speed is significantly less than for connections in High Availability mode.
SMB-13068 In rare conditions, when you enable DHCP or Relay for the bridged interface between LAN and WiFi, this message appears: "Can not add more DHCP scopes for that network." This message can be safely ignored.
01675365  In 1200R appliances, for deployments that use a bridge, when you click Get Topology in SmartDashboard, the gateway also shows the brX interface. Ignore the brX interface and we recommend that you delete it.
01687455 In 1200R appliances, the PIM dynamic routing protocol does not work.
Refer to sk108849
01629323  The MAC address for vpnt-type interfaces in 1200R appliances is shown as 00:00:00:00:00.
01629097 Unnumbered VTI is not supported in 1200R appliances.
01613042  Unnumbered VTIs can only be associated with external interfaces through the Internet connection definition. Other interface types are not supported 
01629314 When using numbered VTI, the traffic on Rx and Tx in vpnt interfaces is shown as zero.
01663019  Bridge interfaces cannot be disabled. 
01662062  It is not possible to configure a bridge if interfaces have not been assigned in the Local Networks WebUI page. 

Configuring appliances with a DNS server that does not resolve publich domain names, may cause issues in various features, including timeouts during SIC establishment, log page not being responsive, and more. Make sure to configure DNS servers that can be reached from the appliance.

01667462  In wireless appliances, to use WEP you must use the first defined Network Password. It does not support multiple passwords.

When trying to add a disabled LAN interface to a bridge, the operation fails with an irelevant message about wireless.

  • Workaround: enable the LAN interface before adding it to the bridge. 
01679176 In the local networks page in the local WebUI, the status of a wireless network for wireless appliances shows as UP even if the wireless radio is off. 
01664588, 01803277 When the WAN Internet connection is configured as PPPoE, an Anti-Spoofing warning appears in SmartView Tracker. You can safely ignore the warning. 
01779796, 01782611, 01780458, 01782994, 01781560, 01749108, 01749088  Long connections with many HTTP sessions, that transfer files to the server and back, cause a high memory consumption. 
02340232 Configuration of a bridge to the internet (one leg on an external interface) with additional internet connections (MISP configuration / Multiple ISPs) is not supported. 

Inspection of IMAP over SSL is supported from R80.20.85 using Plain authentication.

Dynamic Routing
01475633 The CLISH command "show configuration" does not show dynamic routing configuration.
01966190  BGP MD5 is not supported.
01432740 Policy based routing rules are not enforced on POP3 traffic when the Anti-Virus or Anti-Spam blades are active and set to inspect POP3 traffic. Policy based routing rules are also not enrforced on SMTP traffic when inspecting outgoing SMTP traffic is configured. 
Command Line Interface (CLI)
'Gaia OS' Best Practices are not supported for 1100, 1200R and 1400 appliances.
Refer to sk108416.
01628763 When there is a heavy load of traffic passing through the 1200R appliance, the CPU reaches 100% and 0% idle with the top command. In some cases, when the load is no longer heavy the top command continues to show 100% CPU and 0% idle.
01453249 Using autocomplete in CLISH after the parameter application name in Application Control configuration takes several minutes to show all options.
01502833  Cluster mode configuration of the gateway is not supported in CLI. 
01467515  When creating a Firewall or NAT rule in CLI, the source/destination value must be a network object and not just an IP address. 
01502857  File related configuration (certificates, customized logo for portals) is not supported. 
01538860 CLI does not support reordering Firewall and QoS rules.
01530780  Using autocomplete in CLISH after the parameter protection-name in IPS configuration takes several minutes to show all options. 
01634523 The SNX command line for Linux (script that can be download from the SNX portal using the "Download command line SNX for Linux") fails on Small Office appliances.
01620625  In locally managed appliances, the parameter "vpn_force_nat_t" does not force NAT-T if the remote site is configured using a hostname. See sk162472
01849807 In 1200R appliances, when running the "show diag" command in CLISH, the device temperature is 0 instead of the device temperature. 
01855170 The CLISH command "show net-obj" is obsolete. Use the command "show networks" instead. 
SMB-2558 Adding a CLI category name for Application Awareness/URL filtering or SSL inspection configuration results in "Failed to find the requested category-name" error when the name is more than one word.
  • Use the category ID instead of the application name.
01580759 When installing a policy with the IPS blade turned on, a warning message is sometimes shown that states the IPS contract is expired even when the contract is valid in the User Center and is shown as valid in the appliance's WebUI.
01578807, 01627049, 01629010, 01571753, 01634746, 01600189, 01654753 The IPS protection "Non compliant HTTP" drops a valid HTTP reply containing an empty zip file. 
Application Control
02398227 The Signature Tool for Custom Application Control and URL Filtering Applications is not supported for locally managed Small Office appliances.
02446116 In SmartDashboard, the Application Control & URLF Rule Base does not support the "securityZone" type object. Beginning with the R80 Management version, such objects can be used in the unified Rule Base for rules that do not include any matching for applications and categories. 
In locally managed devices, configuring FQDN objects is not supported.
In locally managed devices, it is not possible to configure Applications in policy base for incoming / VPN traffic.
- SNI is not supported on 1400 with R77.20. Refer to sk168632
SSL Inspection
SMB-11127 When HTTPS categorization is turned on, only certificates up to 16KB in size are supported.
SMB-14428 HTTPS Inspection bypass rules that use URL objects do not work when Probe Bypass is enabled for:
  • Websites with unsupported cipher-suites (refer to sk104562)
  • Websites with SNI extension
To bypass those websites, the HTTPS Inspection bypass rules must use IP-address objects.
01488784 Usercheck client is not supported in either centrally or locally managed mode of appliances.
01537634  In centrally managed 1200R appliances, when the host is behind the 1200R appliance, the UserCheck client is not supported. 
01571705 To search the security logs on the local web portal for a specific UserCheck incident ID, use this filter string "UserCheck Incident UID:" followed by the ID. 
02443426 In Centrally Managed Small Office appliances, the UserCheck portal does not appear if the configuration for the main URL of the UserCheck portal under gateway settings is set to use the gateway's external IP address. 
User / Identity Awareness
01193839 On locally managed appliances, only single DC is supported per AD server. 
01116406 An AD Domain Controller used for authenticating users that is located in the external zone of a device using Hide-NAT is not supported.
  • Workaround: Install another Domain Controller in the internal zone of the device. 

In centrally managed appliances, these user identifications methods are not supported (even though they appear in SmartDashboard):

  • Identity agent - supported in central management scenarios since R77.20.31.
    Refer to sk97751.
  • RADIUS accounting
  • Terminal servers
01508334 In locally managed appliances, when using Active Directory Queries, user and user group names are not supported in unicode. 
SMB-6786 Check Point Identity Agent is not supported together with Remote Access (RA). It is highly not recommended to enable them simultaneously.
  • Identity Awareness supports authentication of AD users, user groups, organization units. In addition, you can define LDAP groups with more advanced filtering.
  • Identity Awareness does not support authentication of Primary Groups of user and computer accounts. By default, the Primary Groups are 'Domain Users' and 'Domain Computers.'
- SMB appliances do not support the Identity Collector. 

When upgrading from R75.20.x to R77.20.x in a locally managed appliance, a VPN site will cease to work if it was defined with one of these options:

  • Using a hostname and pre-shared secret.
  • Using a hostname and a certificate without a DN in the Certificate Matching settings.
    : Define the VPN site with a certificate and DN authentication.
Locally managed appliances do not support subordinate certificates.
  • Resolved in R77.20.80 for *.P12 files only. For .crt files, refer to sk157413.
01118273  Configuring VPN site to site or VPN RA for CP Mobile with certificate-based authentication on a locally managed cluster is not supported. 

The WebUI Home -> Security Dashboard page shows the VPN Remote Access blade as turned "ON" only if the gateway object in SmartDashboard is set with IPSec VPN and the gateway is part of the Remote Access community.

When the object is defined but not part of the Remote Access community, the WebUI Home > Security Dashboard page shows the VPN Remote Access blade as turned "OFF". 


Dead Peer Detection is not supported in centrally and locally managed modes of the appliances.


In a locally managed appliance, you can define a remote VPN site and route all traffic through that site. The option to define a remote VPN site that routes all traffic to the gateway itself is not support. 

01571378 In centrally managed appliances, when the appliance takes part in site-to-site VPN with route all traffic, access to SSH and WebUI fails.
01512007 In locally managed appliances, VPN sites configured with the IKEv2 encryption method and "Default (Most compatible)" encryption settings only support peer sites configured with Diffie-Helman group 2.
  • Workaround: Configure an encryption suite that matches the peer's configuration. 
01596206  Centrally managed 1100 or 1200R appliances might encounter issues if the Security Management Server uses an external CA for certificates that is not a Check Point CA. This is rare as the Security Management Server's internal CA is usually used for the entire system. 
01598717  In locally managed appliances with a defined proxy, if a 3rd party external Trusted CA is used in a certificate, CRL validation does not work. Disable CRL validation for the CA or disable the proxy. 
01606549  In locally managed appliances, a remote site can only initiate connections when it is configured with IKEv2 and uses a preshared secret. 
01603584  Remote Access SecurID authentication is not supported in locally managed mode of appliances. 

In centrally managed environments with a DAIP gateway, the use of the "vpn tu" shell command to manually delete Security Assocations (SAs) on the central gateway side during VPN Site to Site requires a manual deletion of the SAs also on the DAIP gateway side.


When configuring VPN community members, a gateway "Dynamic IP" configuration is not supported for VPN communities that use these encryption suites:

  • Suite-B-GCM-256, SHA-384, (Group 20)
  • Suite-B-GCM-128, SHA-256 (Group 19)
  • VPN B
01599245  In locally managed mode, when submitting a certificate signing request that contains alternative subject names, the resulting certificate contains only the DN as the subject and not the alternative names. 
01617970 In a VPN community with permanent tunnels (in gateways with Dynamic Addresses or that belong to an LSM profile) , to enable sending a Tunnel Test to peer from the IP of an internal interface of a 1100 or 1200R gateway, use the Аdvanced setting - VPN Site to Site global settings - Perform Tunnel Tests using as internal.

When the gateway is behind NAT, the use of IKEv2 with a preshared secret in VPN site to site is not supported.

  • Workaround: Use a certificate.
01625041  When a VPN community includes dynamic IP addresses for remote sites (behind NAT or connection via hostname), only Diffie-Helman group 2 is supported. 
01624917  In centrally managed appliances, the VPN overview page in SmartDashboard does not show tunnels from small office appliances. 
01619432  When a small office appliance is configured as the center of a VPN Star community, MEP configuration using IP Pool NAT is currently not supported. 
01663225  When configuring a remote site using a certificate and aggressive mode in VPN site to site in locally managed appliances, a peer ID string in aggressive mode must be configured. 
01663202 The combined use of IKEv2 and aggressive mode is not supported.
01667100  Permanent tunnels are not available when the VPN site to site configuration uses IKEv2 and one of the sites has a dynamically allocated IP address.
01654907  In centrally managed Small Office Appliances, VPN Traditional Mode is not supported. 
01664759  When configuring the aggressive mode peer ID field for VPN remote sites in locally managed appliances, you can only enter alphanumeric characters and these special characters _-.@~!#%$ 
01658035 When configuring DHCP relay on centrally managed appliances, if the DHCP server is in a VPN peer's encryption domain, the implied rule "Accept Dynamic Address modules' outgoing Internet connections" must be disabled in SmartDashboard for the DHCP requests to be sent encrypted.
  • Workaround: Create manual rules that allow DHCP.
01675202  When using aggressive mode with user peer_id, the remote VPN peer has to be a mobile peer for authentication to succeed. 

In locally managed appliances, when defining a remote site using a custom encryption suite and IKEv2 is selected, multiple selection of Diffie-Helman groups may cause issues.

  • Workaround: Choose the specific Diffie-Helman group that the remote site uses. 
01663162  When using Aggressive mode with peer ID in VPN site to site in locally managed appliances, the VPN Remote Access bladed must be turned on (even if no users are defined with remote access privileges). 
01679057 When the external interface is used as a bridge to local networks, VPN site to site traffic is not supported. 

VPN aggressive mode and NAT-T are not supported. 

  • Resolved in: Added support for NAT-T in Aggressive Mode for versions R77.20.75 and higher.
01717741 When you connect to the appliance with Remote Access VPN, the appliance only uses the default internal certificate. 
01922567 RIM configuration is not supported in this firmware. RIM functionality is usually needed in the center gateways of a VPN star community. This image is primarily used in satellite gateways.
02115796 The "Route all traffic through gateway" option is not supported for SSL Network Extender clients. 
01260760  In locally managed small office appliances, when a cluster failover happens, VPN Remote Access clients need to re-establish the connection. Also, a different certificate is seen when re-connecting. 
SMB-14125 Encryption domain per VPN community is not supported on SMB devices (1100, 1400 and the 1500 series).
Encryption domain per VPN community policy is not supported if an SMB device with pre-R80 firmware is one of the policy targets
SMB-1149  Trusted links configuration for centrally managed Small Office appliances is the same as described in the VPN Administration Guide. Automatic topology is not supported. The gateway object must be configured with manual topology.
SMB-1895 Locally managed appliances cannot establish a VPN connection to a remote site that consists of multiple centrally managed hub VPN gateways in a MEP configuration.
SMB-3002 In locally managed gateways with a dynamic IP address: A site to site VPN configured with IKEv2 and a pre-shared key is supported only with Check Point peers and requires identifier settings. 
SMB-2668 When a VPN tunnel goes down, routes that use the associated VTI as a target (next hop) remain active. Therefore, you cannot use metric-based failover between routes to different VTIs. 
SMB-2689 The "New Certificate Request" feature that allows an external CA to sign the device's certificate does not include the defined Alternative Names in the request. 
SMB-11978 The Remote Access feature "Location Aware Connectivity" is not supported on locally managed SMB appliances.
SMB-9710 MEP is not supported in Remote Access VPN.
SMB-9711  Locally managed appliances do not support subordinate certificates. Resolved in R77.20.80 for *.P12 files only. For .crt files, refer to sk157413
SMB-12201 Site to site directional VPN is not supported.
02066383 Admin access (WebUI+SSH) fails when connecting via VPN Remote Access using L2TP in 700/1400/1200R appliances.
  • Use Checkpoint Endpoint Security VPN instead.
  • Resolved In: R80.20GA
 - 2-Factor-Authenticaion using mobile access is not supported.
01448274 The Suspicious email outbreak engine in the Anti-Bot software blade is not supported.
SMB-12362 MD5-based exceptions in Threat Prevention do not work on some of the variations of the Eicar test file when it is transferred over non-HTTP protocols (FTP, POP3, IMAP, SMTP).

The Anti-Virus engine supports these protocols only: HTTP, SMTP, and POP3. FTP is not supported.

02002893  If the legacy Anti-Virus engine is used in centrally managed R77.20-based Small Office appliances or 1200R appliances, local reports do not show Anti-Virus statistics.
02282436 Connectivity issues with FTP traffic on centrally managed devices when Traditional Anti-Virus with IPS is activated.
01261065 These characters cannot be used in WebUI textual fields:
  • single quote - '
  • double quote - "
  • backslash - \
01098614 Toggling between Central and Local Management modes of the appliance is not supported when a cluster is configured. To change to Central Management mode, an administrator must first disable the local cluster
01102696 RADIUS servers are deleted by clearing the contents of the fields in the Configure RADIUS servers window in the WebUI (VPN tab -> Authentication Servers page -> RADIUS servers link) since there is no direct Delete option. 
01469798 Configuration of the serial port through Advanced Settings is not supported when an Internet connection is configured to an analog modem through the serial port.
01530767  Downloading cpinfo in the 600 and 1100 appliances can trigger CPU spikes. In rare cases, the preparation and download of the cpinfo can take a significant amount of time.
01597690  The Monitor mode option for interfaces is not available on 1200R appliances. 
01610850  When defining server objects, the "Force translated traffic to return to the gateway" is important for traffic originating from internal sources. However, currently, sources of all traffic to the server will be translated and hidden behind the gateway's IP address. 
01596220  Host objects can be defined with up to 32 characters. 
01582663  When a log in a locally managed appliance shows the "myown_obj" object, it in fact means "this appliance".
01675566 In locally managed appliances, in the Threat Prevetion Exception page -> Malware Exceptions section, if the "Scope" field is not configured to "Any" it may result in the exception not being matched. 
01667323 The Identity Awareness portal sometimes does not show correctly in a Chrome browser.
02340182 When more than one VAP is added to a local network switch or bridge, it cannot be unassigned.
  • Workaround: delete it and then recreate it. 
SMB-1978  If a user uploads a company logo for portal customization which is too large (even a 2-3 MB file in 600/1100 appliances), the appliance might not load properly due to low disk space.

After replacing the web portal certificate, login to the administration web portal fails with a "Connectivity error. Refresh page and retry" message due to the browser's certificate caching mechanism.

  • Workaround: refresh the page.

Attempting to configure the same specific feature through WebUI and CLI interfaces at the same time may cause settings to be overridden or subject to submission timing.

SMB-10029 Changing the order of the SSL inspection exceptions in the WebUI does not show in the WebUI display even though the order is changed and this can be seen in CLI.
  • Workaround: To change the order, delete the exception and then add it in the new location.
SmartDashboard / SmartConsole
01508830 The VPN Advanced option to perform an organized shutdown of tunnels upon gateway restart is not supported.
01537760 Install policy fails on centrally managed appliances when a rule contains an action set to User authentication.
01563471 The "Monitoring" blade (Real Time Monitoring) is not supported.
01575875 In centrally managed 1100 and 1200R appliances, location configuration in user objects is not supported. Use access roles in SmartDashboard. 
01599121 Dynamic objects added in the Application Control and URL Filtering rule base are not matched.
01585541 In centrally managed appliances, in some instances a policy fetch success pop up message is shown before the Firewall or QoS policy is actually installed. 
01691069 In centrally managed 1100 and 1200R appliances, the option "Enable archive scanning" in Anti-Virus settings within Threat Prevention profiles is not supported. 
01690587 In centrally managed 1100 and 1200R appliances, Threat Prevention custom indicators are not supported.
02337281 Installing Security policy is supported to up to 25 centrally managed appliances simultaneously. For installing policy on a larger number of appliances it’s advised to do in smaller batches. 
SMB-3241 When a DMZ interface is used as a Local Network interface, the "Get Topology" action shows the DMZ interface as network type "Internal" instead of "DMZ."
  • Manually change the network type to "DMZ." 
SMB-2388 In a centrally managed 1100 appliance managed by SmartConsole in R80 and higher, the appliance is recognized as an Open server after SIC if it is not set manually.
  • Workaround: Set the hardware type to 1100 manually
SMB-5608 Policy installation fails on a centrally manged environment with more than 255 interfaces (in total) whose "security zone" is not set to "none" (ex: internal,external, etc.).
  • Workaround: If there are no policy rules that use these security zones, change their configuration to "none" (in the Gateway properties -> Topology tab). 
01132456 Assigning Security Zones to interfaces on a SmartProvisioning profile is not supported.
01249327 Up to two internet connections can be defined in SmartProvisioning. If more than two connections are defined on the appliance, SmartProvisioning will not be updated with the appliance's configuration settings.
SMB-1383 In Small Office appliances, Identity Sharing is not supported when managed through the SmartProvisioning LSM profile. 
SmartView Monitor
01575868 In centrally managed appliances, SmartView Monitor has limitations when working with inaccessible gateways (for example, gateways behind NAT). Since it requires connecting from the Security Management Server to the gateways, many of the monitoring capabilities are unavailable in this
Logging and Monitoring
01628654  In locally managed appliances, multiple logs from different blades' engines can be shown for a single event (specifically Anti-Bot, Anti-Virus, and Application Control).
01595069 In local management, in specific scenarios, a large number of requests and logs are created, each time an attempt is made to browse to a Web site.
  • Workaround: when you define a proxy on the browser, make sure to exclude the local IP address or the network of the appliance. 
02385779 Use of non-English characters in AD server user names is not supported in local monitoring and reports on the Small Office Appliances.
- External Security Log Server cannot be configured when High Availability is turned on (not supported) on locally managed appliances
- Gaia Embedded appliances cannot send logs to more than one Security Managemrnt Server or Customer Log Server.

In locally managed appliances, when logs are forwarded to an R80.x Log Server / SmartLog, the origin column in the SmartLog / R80.x Log Server shows "myown_obj" instead of the gateway name.

SMP-2018 Security logs that are sent from the SMB Security Gateway to an external Check Point Log Server are sent with the gateway time instead of UTC. If the time on the Check Point Log Server is earlier than the log time the log will not appear on the Log Server.
Active Directory
01619298 AD group and user names that include non-English characters such as the letter o or e with an accent (') are not supported.
  • Automatic update of LDAP group membership does not work.
  • The PDP gateway becomes aware of added/removed users in LDAP groups only after policy installation.
  • Access Roles are not enforced for some of the users.
  • AD Query does not update user groups locally when a change is made to them on the Active Directory Server.
02103715 If the same administrator name is defined in both the local and RADIUS databases, the locally defined administrator permissions (read only, etc.) always take precedence over the permissions defined in the RADIUS server. We recommend you define unique administrator names for each database.
02444244 When you use a RADIUS server to define the device to authenticate administrators, the password defined in the RADIUS server for each administrator must comply with the allowed characters for a password on the device: a-zA-Z0-9!@#$%^&*()?-_=+:;.,/ 
SSL Network Extender
02324415 For all locally managed R77.20x appliances and R77.20.40 centrally managed appliances: To use SSL Network Extender (SNX) for VPN remote access, a client must have updated Java (2016) for the SNX portal to allow the download of the extender and further VPN remote access operations.
SMB-113 Procedures found in the "Gaia OS Best Practices" section of the Compliance blade are not supported in Small Office appliances.
Online updates
SMB-883 If the Time Zone is set after the command that turns off the First Time Wizard in a preset or auto conf script, the initial service updates might not start automatically in the first 12 hours after installation. The service updates can still be initiated manually.
  • Best practice: the command that turns off the First Time Wizard should be the last command in a preset or auto conf script. 
SMB-2914 If a firmware upgrade procedure is interrupted, intentionally or due to error, online updates might fail.
  • Workaround: reboot the device. 
SMB-2286 In centrally managed appliances, the standby member does not bring down the wireless networks.
Hotspot Portal

Hotspot portal redirection does not work when you browse to HTTPS sites.

  • First, browse to an HTTP site, and you will be redirected to a Hotspot portal.
- Centrally managed SMB appliance can be configured to use Delay Sensitivity and Differential Services marking features only under Express QoS mode. Configuration is done in "Advanced" section of QoS action configuration window which is unique for Edge/SG80 appliances. Under Traditional QoS mode only Best Effort QoS class is supported, using other classes will disable QoS policy.
01593577 In centrally managed appliances configured with QoS in Express mode, internal interfaces should not be configured for QoS as it may cause loss of connectivity.
in R77.20.20 QoS works by default in accelerated mode. This decreases the chance of an interruption to internal traffic. Still, the common use-case for QoS is to be activated on the external interfaces.
01659155 In connected centrally managed small office appliances, when a push policy of QoS and Firewall is attempted on a gateway that has been cleanly installed, the policy installation might show a failure icon on the QoS blade without additional error messages even though the push policy succeeded. If a Firewall policy push was attempted before the QoS policy installation it will also succeed.
01689471 Accelerated mode for QoS, as described in sk98229, is not supported for 600/1100/1200R appliances. 
  • Starting from R77.20.20, accelerated QoS is supported and active by default. 
01073326 When configuring QoS rules in SmartDashboard, the Bulk option in Delay Sensitivity is not supported.

In addition, when the Delay Sensitivity feature is configured, limit and guarantee values for the same rule are ignored. All rules that are configured with Delay Sensitivity = Interactive will share a joint limit. This limit is by default 20 percent of the interfaces bandwidth.
This value can be changed through GuiDBedit Tool (firewall_properties -> floodgate_preferences -> llq_max_percent).
Note that setting this value to more than 20 percent can lead to starvation of all other traffic.
SMB-9793 QoS supports marking the traffic with Differential Services (DiffServ) tags and preserving existing DiffServ tags. QoS does not support matching packets based on DiffServ tagging.
600 & 1100 Wireless Appliances
01676188 When you turn on the appliance, the WiFi sends the SSID before the network is configured. For about 2 minutes it is possible to connect to the wireless network, but there is not Internet connectivity and you cannot connect to the appliance. Afterwards normal WiFi functionality is available.
01976411 If more than one wireless network is defined in a locally-managed cluster, synchronization of wireless networks settings between the cluster members is not supported. Configure multiple wireless networks separately on each member.
01751375 In the wireless password field it may be possible to paste non-printable characters. However, the password will not be usable in that case. 

Give us Feedback
Please rate this document